10 Free SSL / TLS Diagnostic Tools for the Webmaster
You are often forced to solve SSL / TLS issues if you are working as a web engineer, webmaster, or system administrator.
There are many online tools for working with SSL certificates , testing weaknesses in the SSL / TLS protocols, but when it comes to testing the internal network based on URL, VIP, IP, then they are unlikely to be useful.
')
To diagnose internal network resources, you need separate software / tools that you can install on your network and perform the necessary checks.
Different scenarios are possible, for example:
The following tools will be helpful in troubleshooting such problems.
DeepViolet is a Java / SSL-based SSL / TLS analysis tool, available in binary code, you can also compile it from source code.
If you are looking for an alternative to SSL Labs for use on the internal network, DeepViolet would be a good choice. It scans the following:
Quickly assess the reliability of SSL on your website. SSL Diagnos analyzes the SSL protocol, encryption algorithms, vulnerabilities Heartbleed , BEAST.
Not only used for HTTPS, you can check the stability of SSL for SMTP, SIP, POP3 and FTPS.
SSLyze is a Python library and command line tools that connect to the SSL endpoint and scan to detect any missing SSL / TLS configuration.
Scanning over SSLyze is quick because the verification process is distributed across multiple processes. If you are a developer or want to integrate into your existing application, then you have the opportunity to write the result in XML or JSON format.
SSLyze is also available in Kali Linux .
Do not underestimate OpenSSL - one of the most powerful standalone tools available for Windows or Linux to perform various tasks related to SSL, such as verification, generating CSR, converting certificate formats , etc.
Love Qualys SSL Labs? You are not alone - I also like it.
If you are looking for a command line tool for SSL Labs for automated or mass testing, then SSL Labs Scan will certainly be useful.
SSL Scan is compatible with Windows, Linux and Mac. SSL Scan helps to quickly determine the following indicators:
If you are working on problems related to encryption, then SSL Scan will be a useful tool for speeding up troubleshooting.
As the name implies, TestSSL is a command line tool that is compatible with Linux and other OS. He checks all the most important indicators and shows what is in order and what is not.
As you can see, it covers a large number of vulnerabilities, encryption preferences, protocols, etc.
TestSSL.sh is also available in a Docker image .
You can build TLS-Scan from source code or download binary code for Linux / OSX. It extracts information from the certificate from the server and displays the following indicators in JSON format:
It supports TLS, SMTP, STARTTLS and MySQL protocols. You can also integrate the results into a log analyzer , for example, such as Splunk, ELK.
A quick tool for analyzing which types of encryption are supported on websites using the HTTPS protocol. Cipher Scan also provides the ability to display results in JSON format. This is a shell using the OpenSSL package commands.
SSL Audit is an open source tool for certificate verification and protocol support, encryption and standards based on SSL Labs.
I hope that the open source tools mentioned above will help you integrate continuous scanning into your current log analyzers and facilitate troubleshooting.
There are many online tools for working with SSL certificates , testing weaknesses in the SSL / TLS protocols, but when it comes to testing the internal network based on URL, VIP, IP, then they are unlikely to be useful.
')
To diagnose internal network resources, you need separate software / tools that you can install on your network and perform the necessary checks.
Different scenarios are possible, for example:
- There are problems installing an SSL certificate on a web server;
- requires the use of the latest / specific cipher protocol;
- I want to check the configuration after commissioning;
- Security risk detected during vulnerability testing .
The following tools will be helpful in troubleshooting such problems.
Open source tools to troubleshoot SSL / TLS issues:
1. DeepViolet
DeepViolet is a Java / SSL-based SSL / TLS analysis tool, available in binary code, you can also compile it from source code.
If you are looking for an alternative to SSL Labs for use on the internal network, DeepViolet would be a good choice. It scans the following:
- using weak encryption;
- weak signature algorithm;
- certificate revocation status;
- certificate validity status;
- visualization of chain of trust, self-signed root certificate.
2. SSL Diagnos
Quickly assess the reliability of SSL on your website. SSL Diagnos analyzes the SSL protocol, encryption algorithms, vulnerabilities Heartbleed , BEAST.
Not only used for HTTPS, you can check the stability of SSL for SMTP, SIP, POP3 and FTPS.
3. SSLyze
SSLyze is a Python library and command line tools that connect to the SSL endpoint and scan to detect any missing SSL / TLS configuration.
Scanning over SSLyze is quick because the verification process is distributed across multiple processes. If you are a developer or want to integrate into your existing application, then you have the opportunity to write the result in XML or JSON format.
SSLyze is also available in Kali Linux .
4. OpenSSL
Do not underestimate OpenSSL - one of the most powerful standalone tools available for Windows or Linux to perform various tasks related to SSL, such as verification, generating CSR, converting certificate formats , etc.
5. SSL Labs Scan
Love Qualys SSL Labs? You are not alone - I also like it.
If you are looking for a command line tool for SSL Labs for automated or mass testing, then SSL Labs Scan will certainly be useful.
6. SSL Scan
SSL Scan is compatible with Windows, Linux and Mac. SSL Scan helps to quickly determine the following indicators:
- SSLv2 / SSLv3 / CBC / 3DES / RC4 backlight encryption;
- reporting weak (<40 bits), zero or unknown encryption;
- check TLS compression, Heartbleed vulnerability;
- and much more…
If you are working on problems related to encryption, then SSL Scan will be a useful tool for speeding up troubleshooting.
7. Test SSL
As the name implies, TestSSL is a command line tool that is compatible with Linux and other OS. He checks all the most important indicators and shows what is in order and what is not.
for example
Testing protocols via sockets except SPDY+HTTP2
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 offered
TLS 1.2 offered (OK)
SPDY/NPN h2, spdy/3.1, http/1.1 (advertised)
HTTP2/ALPN h2, spdy/3.1, http/1.1 (offered)
Testing ~standard cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication) not offered (OK)
Export ciphers (w/o ADH+NULL) not offered (OK)
LOW: 64 Bit + DES encryption (w/o export) not offered (OK)
Weak 128 Bit ciphers (SEED, IDEA, RC[2,4]) not offered (OK)
Triple DES Ciphers (Medium) not offered (OK)
High encryption (AES+Camellia, no AEAD) offered (OK)
Strong encryption (AEAD ciphers) offered (OK)
Testing server preferences
Has server cipher order? yes (OK)
Negotiated protocol TLSv1.2
Negotiated cipher ECDHE-ECDSA-CHACHA20-POLY1305-OLD, 256 bit ECDH (P-256)
Cipher order
TLSv1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA DES-CBC3-SHA
TLSv1.1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA
TLSv1.2: ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-CHACHA20-POLY1305-OLD
ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES128-SHA256 AES128-GCM-SHA256 AES128-SHA AES128-SHA256
ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES256-SHA384 AES256-GCM-SHA384
AES256-SHA AES256-SHA256
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension
CCS (CVE-2014-0224) not vulnerable (OK)
Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK)
Secure Renegotiation (CVE-2009-3555) not vulnerable (OK)
Secure Client-Initiated Renegotiation not vulnerable (OK)
CRIME, TLS (CVE-2012-4929) not vulnerable (OK)
BREACH (CVE-2013-3587) potentially NOT ok, uses gzip HTTP compression. - only supplied "/" tested
Can be ignored for static pages or if no secrets in the page
POODLE, SSL (CVE-2014-3566) not vulnerable (OK)
TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK)
SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK)
FREAK (CVE-2015-0204) not vulnerable (OK)
DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK)
make sure you don't use this certificate elsewhere with SSLv2 enabled services
https://censys.io/ipv4?q=EDF8A1A3D0FFCBE0D6EA4C44DB5F4BE1A7C2314D1458ADC925A30AA6235B9820 could help you to find out
LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA
AES256-SHA DES-CBC3-SHA
VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
LUCKY13 (CVE-2013-0169) VULNERABLE, uses cipher block chaining (CBC) ciphers
RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)As you can see, it covers a large number of vulnerabilities, encryption preferences, protocols, etc.
TestSSL.sh is also available in a Docker image .
8. TLS Scan
You can build TLS-Scan from source code or download binary code for Linux / OSX. It extracts information from the certificate from the server and displays the following indicators in JSON format:
- hostname verification;
- TLS compression test;
- Verification of the version numbering of encryption and TLS;
- check reuse sessions.
It supports TLS, SMTP, STARTTLS and MySQL protocols. You can also integrate the results into a log analyzer , for example, such as Splunk, ELK.
9. Cipher Scan
A quick tool for analyzing which types of encryption are supported on websites using the HTTPS protocol. Cipher Scan also provides the ability to display results in JSON format. This is a shell using the OpenSSL package commands.
10. SSL Audit
SSL Audit is an open source tool for certificate verification and protocol support, encryption and standards based on SSL Labs.
I hope that the open source tools mentioned above will help you integrate continuous scanning into your current log analyzers and facilitate troubleshooting.
Go to VPS.today - a site for searching virtual servers. 1500 tariffs from 130 hosters, convenient interface and a large number of criteria for finding the best virtual server.
Source: https://habr.com/ru/post/422751/
All Articles